QRLJacking- New way of Social Engineering Attack
By Pankaj Rane - March 11, 2018
Social engineering strikes again and this time its via QR code.
Nowadays, applications are using different types of authentication mechanisms to protect user accounts from getting hacked. We already aware of few such as 2 Factor authentications, Network based access authentication, IPSec authentication... one of these mechanisms is QR code Authentication which recently implemented in many web/mobile applications to allow a user to quickly sign into an application without having to memorize or type in a username and password.
What is QR code?
A QR code consists of black squares arranged in a square grid on a white background, which can be read by an imaging device such as a camera, and processed using Reed-Solomon error correction until the image can be appropriately interpreted. The required data are then extracted from patterns that are present in both horizontal and vertical components of the image." - source: Wikipedia
Basically, QR codes are nothing but a new way to store data on some black squares.
How QR code Authentications Works?
The logic is quite simple, when you visit a web application and it displays a QR code on the login screen. To authenticate to the user account, you take out your phone, snapping a photo with any QR reader app for your iPhone/Android device and in less than 5 seconds you're logged into the web app on the computer. No passwords, no hassle. And you didn't even have to touch the keyboard. If you ever used WhatsApp on your web browser, then you should be familiar with this method.
So that's enough of basics now let's move to this new attack vector called "QRLjacking"
What is QRLjacking?
QRLjacking or Quick Response Code Login jacking is a simple social engineering attack vector capable of session hijacking affecting all the applications that rely on "Login with QR code" feature as a secure way to login into accounts. When the victim scans the attacker's QR code which will results in session hijacking.
How QRLjacking works?
Here's how the QRLJacking attack works behind the scenes:
1. The attacker initialize a client side QR session and clone the Login QR Code into a phishing website. "Now a well-crafted phishing page with a valid and regularly updated QR Code is ready to be sent to a Victim."
2. The Attacker Sends the phishing page to the victim using social engineering skills.
3. The Victim Scans the QR Code with a Specific Targeted Mobile App.
4. The Attacker gains controls over the victim's Account.
5. The service is exchanging all the victim's data with the attacker's session.
You can download it from Github - https://github.com/OWASP/QRLJacking
QRLjacking Exploitaion Framework:
QRLjacking exploitation framework is a customizable framework written in python to demonstrate "QRLjacking attack vector" and shows how easy to hijack services that rely on QR Code Authentication.
Currently QRLJacker supports the following websites:
Whatsapp, WeChat, Weibo, Yandex, Taobao, Taobao Trips, AliPay, Yandex Money, Yandex Passport, Airdroid, MyDigiPass, Zapper, Trustly App and Yelophone
Now you're probably wondering how to use this tool.
Check the below youtube video which demonstrates Hacking Whatsapp using QRLjacking framework.